Minggu, 26 April 2009

actions

actions

This bot, configured and implemented by the black-hat, captured all their conversations on an IRC channel. Wemonitored these conversations over a two week period, all of which are contained here. This paper is not meantto be a generalization of the black-hat community. Instead, we present a specific incident involving severalindividuals. However, this should give you an idea of how certain members can think and behave. This is acommon threat that we all face in the security community, and we sincerely hope other security professionalsbenefit from this work.This information was obtained through the use of a honeynet. A honeynet is a network of various honeypots,designed to be compromised by the black-hat community. While some honeypots are used to divert the attentionof attackers from legitimate systems, the purpose of a honeynet is to learn the tools and tactics of the black-hatcommunity. Most of the information provided in this document has been sanitized. Specifically, user identities andpasswords, credit card numbers, and most of the system names involved have all been changed. However, theactual technical tools and the chat sessions themselves have not been sanitized. All this information wasforwarded to both CERT and the FBI before being released. Also, over 370 notifications were sent out toadministrators of systems we believed were compromised.Foreword, by Brad PowellPart I: The CompromiseA Solaris 2.6 default installation was used for our honeypot. No modifications or patches were installedon the system. The vulnerabilities discussed here exist in any default, unpatched installation of Solaris2.6. That is the whole purpose of the honeynet, to identify vulnerabilities in production systems andlearn how they are exploited. When exploited, we can then learn the tools and tactics of the black-hatcommunity. The honeynet itself is an environment designed to track the black-hat's every move.On June 4, 2000 our Solaris 2.6 honeypot was compromised with the rpc.ttdbserv Solaris exploit, whichallows the execution of code via a buffer overflow in the ToolTalk object database server (CVE-1999-0003). Note that this exploit is also listed as #3 in SANS Top Ten List. This attack was both detectedand alerted by snort, a sniffer based IDS system.Jun 4 11:37:58 lisa snort[5894]: IDS241/rpc.ttdbserv-solaris-kill:192.168.78.12:877 -> 172.16.1.107:32775The rpc.ttdbserv exploit is a buffer overflow attack that allows the remote user to execute commands onthe system as root. The following command was executed, giving the black-hat a backdoor. The serviceingreslock (predefined in /etc/services as port 1524) is added to a file called '/tmp/bob', and then inetd is

Features: DYN, NEW, SEFinit: Unknown configuration item: "NOSEEN" (ignored)init: Mechs added [ save2 ]init: Warning: save2 has no userlist, running in setup modeinit: EnergyMech running...# exit;$ exitOnce the bot was in place, they left the system alone. It is this bot that captured all of their conversations(see Part II below). For more information on IRC and how the black-hat community uses IRC and bots,we highly recommend the paper Tracking Hackers on IRC by David Brumley. Over the course of thefollowing week they returned several times, only to confirm that they still had access. One week later,on 11 June, they connected again and attempted to use the system for Denial of Service attacks.However, the honeynet is designed to block any attempt to use a honeypot as a base of an attack againstoutside systems. All attempts to use the honeypot for a Denial of Service attack were automaticallyblocked.What we have witnessed here are commonly used tools and tactics of the black-hat community. Ourblack-hat randomly scanned the Internet for a known vulnerability (in this case rpc.ttdbserv). Onceidentified, they quickly compromised the system and installed a rootkit using commonly scripted tools.Once they had control, they installed a bot, most likely to ensure they would maintain 'ops' on the IRCchannels of their choice. What is uncommon are the two weeks of IRC chat sessions that their botcaptured for us. In the next part of this paper, we discover the motivations and psychology of the blackhatcommunity, in their own words. If you are concerned that your system(s) may have beencompromised by similar means, review this checklist. It covers what to check for and links on how toreact to a system compromise.Part II: The IRC Chat SessionsBelow are the actual chat sessions of the black-hat community, specifically two individuals whom wewill call D1ck and J4n3. Most of their chats will happen on the IRC channel we will call K1dd13. Youwill read the activities of these two main characters, and a variety of others. The chat sessions arebroken down by days, listed below. We recommend you read them in sequence, so you can betterunderstand what is going on. IRC channels, IRC nicks, system names and IP addresses have beensanitized. All system IP addresses have been replaced with RFC 1918 address space, all system domainnames have been replaced with 'example', and all credit card numbers have been placed by 'xxxx'. Anysimilarities the IRC channels or IRC nicks may have with the real world are purely coincidental. Beadvised, some of the language used is abusive in nature, we have chosen not to sanitize this. Also,sometimes several of the black-hats will speak foreign languages. Where possible, we have translatedthis into English. As you read these chat sessions, take into consideration their lack of skill andnetworking knowledge. Often you will see them attempting to figure out the most fundamental of Unixskills. And yet, they are still able to compromise or damage a large number of systems. This is not athreat to take lightly. Day 1, June 04Our chat sessions begin with the discussion of building an exploit archive and the sharing ofexploits to be used against potential targets. Day 2, June 05

Today D1ck and J4n3 share exploits and Denial of Service attacks. Notice how they brag abouthow many blists (broadcast amplifier networks) they have for the attacks. Looks like one of themis gunning for Linux boxes in .edu land. They also discussed using new rootkits for Linux andsparc. Day 3, June 06D1ck and J4n3 brag about the systems they have launched Denial of Service attacks against. Lateron D1ck teaches J4n3 how to mount a drive. Then they discuss sniffit (how to use it) and last,D1ck desperately looks for an Irix exploit and rootkit. Day 4, June 07D1ck and J4n3 decided they want to take out India with Denial of Service attacks and bindexploits. Later on, they DoS other IRC members who irritate them. Day 5, June 08D1ck asks J4n3 to take out three systems for him. D1ck and his elite buddy Sp07 try to figure outhow a sniffer works "umm doesnt it have to be the same network?". Day 6, June 09Our wonder team has been busy, looks like D1ck rooted over 40 systems. If they scan enoughsystems, they can and will gain root. Day 7, June 10Not an exciting day. D1ck teaches a new k1dd13 how to use the sadmind exploit. We are not sureif D1ck even knows how to use it himself. Day 8, June 11D1ck and J4n3 discuss systems they own and people they want to DoS. D1ck discovers Ping ofDeath and thinks he is very k3wl. Day 9, June 12Looks like D1ck strikes it big, he finds an ISP and gains access to their billing and over 5,000 useraccounts. Now they have to figure out how to crack them. Day 10, June 13Sp07 joins the gang today. Not the friendliest individual for the Internet community. Seems tohave taken a wee bit of a dislike to India also. Day 11, June 14They start cracking user passwords and access personal accounts. Day 12, June 15 Also with Romanian TranslatedD1ck and J4n3 try to find credit card numbers on a Credit Card channel so they can buy somedomain names. Day 13, June 16 Also with Romanian TranslatedD1ck and J4n3 still hangout on the Credit Card channel. Members swap credit cards, shellaccounts, and porn sites. At the end of the chat session, D1ck and J4n3 focus on their website. Day 14, June 17 Also with Romanian Translated

D1ck and J4n3 cover how to gain accounts on a Linux box, talk more about Credit Cards andcontinue building a website.We have just reviewed 14 days in the life of the black-hat community. This is not meant to imply that allblack-hats think and act like this. In fact, we have focused only on a few specific individuals. However,we hope this information gives you an idea of what many of the community are capable of. They maynot be technically competent, or even understand the tools they are using. However by focusing on alarge number of systems, they can achieve dramatic results. This is not a threat to take lightly. They arenot concerned about what harm they may cause. They focus only on achieving their goals.